Markus Koschany pushed to branch stretch at Debian Java Maintainers / tomcat8
Commits: e64edfd6 by Markus Koschany at 2020-07-22T17:22:20+02:00 Add CVE-2020-13934.patch and CVE-2020-13935.patch - - - - - 98510bdf by Markus Koschany at 2020-07-22T17:23:56+02:00 Update changelog - - - - - 4 changed files: - debian/changelog - + debian/patches/CVE-2020-13934.patch - + debian/patches/CVE-2020-13935.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,19 @@ +tomcat8 (8.5.54-0+deb9u3) stretch-security; urgency=high + + * Non-maintainer upload by the LTS team. + * Fix CVE-2020-13934: + An h2c direct connection to Apache Tomcat did not release the HTTP/1.1 + processor after the upgrade to HTTP/2. If a sufficient number of such + requests were made, an OutOfMemoryException could occur leading to a denial + of service. + * Fix CVE-2020-13935: + The payload length in a WebSocket frame was not correctly validated in + Apache Tomcat. Invalid payload lengths could trigger an infinite loop. + Multiple requests with invalid payload lengths could lead to a denial of + service. + + -- Markus Koschany <[email protected]> Wed, 22 Jul 2020 17:22:27 +0200 + tomcat8 (8.5.54-0+deb9u2) stretch-security; urgency=high * Non-maintainer upload by the LTS team. ===================================== debian/patches/CVE-2020-13934.patch ===================================== @@ -0,0 +1,52 @@ +From: Markus Koschany <[email protected]> +Date: Tue, 21 Jul 2020 15:18:25 +0200 +Subject: CVE-2020-13934 + +Origin: https://github.com/apache/tomcat/commit/923d834500802a61779318911d7898bd85fc950e +--- + java/org/apache/coyote/AbstractProtocol.java | 9 ++++++--- + webapps/docs/changelog.xml | 4 ++++ + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/java/org/apache/coyote/AbstractProtocol.java b/java/org/apache/coyote/AbstractProtocol.java +index 39153f1..577ebbf 100644 +--- a/java/org/apache/coyote/AbstractProtocol.java ++++ b/java/org/apache/coyote/AbstractProtocol.java +@@ -826,8 +826,10 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler, + // Assume direct HTTP/2 connection + UpgradeProtocol upgradeProtocol = getProtocol().getUpgradeProtocol("h2c"); + if (upgradeProtocol != null) { +- processor = upgradeProtocol.getProcessor( +- wrapper, getProtocol().getAdapter()); ++ // Release the Http11 processor to be re-used ++ release(processor); ++ // Create the upgrade processor ++ processor = upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter()); + wrapper.unRead(leftOverInput); + // Associate with the processor with the connection + connections.put(socket, processor); +@@ -837,7 +839,8 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler, + "abstractConnectionHandler.negotiatedProcessor.fail", + "h2c")); + } +- return SocketState.CLOSED; ++ // Exit loop and trigger appropriate clean-up ++ state = SocketState.CLOSED; + } + } else { + HttpUpgradeHandler httpUpgradeHandler = upgradeToken.getHttpUpgradeHandler(); +diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml +index bb17a96..278c497 100644 +--- a/webapps/docs/changelog.xml ++++ b/webapps/docs/changelog.xml +@@ -145,6 +145,10 @@ + system property changing how the sequence <code>%5c</code> is + interpretted in a URI. (markt) + </fix> ++ <fix> ++ Ensure that the HTTP/1.1 processor is correctly recycled when a direct ++ connection to h2c is made. (markt) ++ </fix> + </changelog> + </subsection> + <subsection name="Other"> ===================================== debian/patches/CVE-2020-13935.patch ===================================== @@ -0,0 +1,60 @@ +From: Markus Koschany <[email protected]> +Date: Tue, 21 Jul 2020 15:19:02 +0200 +Subject: CVE-2020-13935 + +Origin: https://github.com/apache/tomcat/commit/12d715676038efbf9c728af10163f8277fc019d5 +--- + java/org/apache/tomcat/websocket/LocalStrings.properties | 1 + + java/org/apache/tomcat/websocket/WsFrameBase.java | 7 +++++++ + webapps/docs/changelog.xml | 8 ++++++++ + 3 files changed, 16 insertions(+) + +diff --git a/java/org/apache/tomcat/websocket/LocalStrings.properties b/java/org/apache/tomcat/websocket/LocalStrings.properties +index 744619a..7f770fa 100644 +--- a/java/org/apache/tomcat/websocket/LocalStrings.properties ++++ b/java/org/apache/tomcat/websocket/LocalStrings.properties +@@ -71,6 +71,7 @@ wsFrame.noContinuation=A new message was started when a continuation frame was e + wsFrame.notMasked=The client frame was not masked but all client frames must be masked + wsFrame.oneByteCloseCode=The client sent a close frame with a single byte payload which is not valid + wsFrame.partialHeaderComplete=WebSocket frame received. fin [{0}], rsv [{1}], OpCode [{2}], payload length [{3}] ++wsFrame.payloadMsbInvalid=An invalid WebSocket frame was received - the most significant bit of a 64-bit payload was illegally set + wsFrame.sessionClosed=The client data cannot be processed because the session has already been closed + wsFrame.suspendRequested=Suspend of the message receiving has already been requested. + wsFrame.textMessageTooBig=The decoded text message was too big for the output buffer and the endpoint does not support partial messages +diff --git a/java/org/apache/tomcat/websocket/WsFrameBase.java b/java/org/apache/tomcat/websocket/WsFrameBase.java +index 28cdc30..4afad67 100644 +--- a/java/org/apache/tomcat/websocket/WsFrameBase.java ++++ b/java/org/apache/tomcat/websocket/WsFrameBase.java +@@ -261,6 +261,13 @@ public abstract class WsFrameBase { + } else if (payloadLength == 127) { + payloadLength = byteArrayToLong(inputBuffer.array(), + inputBuffer.arrayOffset() + inputBuffer.position(), 8); ++ // The most significant bit of those 8 bytes is required to be zero ++ // (see RFC 6455, section 5.2). If the most significant bit is set, ++ // the resulting payload length will be negative so test for that. ++ if (payloadLength < 0) { ++ throw new WsIOException( ++ new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid"))); ++ } + inputBuffer.position(inputBuffer.position() + 8); + } + if (Util.isControl(opCode)) { +diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml +index 278c497..9533c04 100644 +--- a/webapps/docs/changelog.xml ++++ b/webapps/docs/changelog.xml +@@ -188,6 +188,14 @@ + </fix> + </changelog> + </subsection> ++ <subsection name="WebSocket"> ++ <changelog> ++ <fix> ++ <bug>64563</bug>: Add additional validation of payload length for ++ WebSocket messages. (markt) ++ </fix> ++ </changelog> ++ </subsection> + <subsection name="Other"> + <changelog> + <fix> ===================================== debian/patches/series ===================================== @@ -9,3 +9,5 @@ 0018-fix-manager-webapp.patch CVE-2020-11996.patch CVE-2020-9484.patch +CVE-2020-13934.patch +CVE-2020-13935.patch View it on GitLab: https://salsa.debian.org/java-team/tomcat8/-/compare/3f2f4bb56e9c6340a23abbdd6ff09a75d9db5d5e...98510bdf09ffc0fa6beb9a2383e70a4d5b032e95 -- View it on GitLab: https://salsa.debian.org/java-team/tomcat8/-/compare/3f2f4bb56e9c6340a23abbdd6ff09a75d9db5d5e...98510bdf09ffc0fa6beb9a2383e70a4d5b032e95 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
